Post-Breach: Utah Boosts Info Security

Actions Come in the Wake of Health Data Incidents

In the aftermath of a massive health data breach last year and a smaller incident this year, the state of Utah is taking a number of steps, including creating a data security office within the health department.

In addition, Utah's governor also recently signed a new law that calls for implementing security and privacy best practices at the department of health, as well as in other executive branches of state government.

The actions come in the aftermath of a March 2012 hacking incident that exposed health department data on about 780,000 individuals.

In January, a smaller breach involved a contractor who lost an unencrypted USB drive containing health department data for 6,000 individuals.

Funding for Staff

Just before the state's legislative session ended in late March, legislators approved $300,000 in funding for the health department to create the new security office, says Robert Rolfs, M.D. In addition to being Utah's health IT coordinator, Rolfs also is deputy director and state epidemiologist at the health department.

The money will help enable the department to build a team of two-to-four staff members working on security and privacy issues on a part-time or full-time basis, Rolfs says. Until now, no one in the department was dedicated to data security and privacy work. Instead, the department relied on the state's centralized IT services department and some third-party contractors to handle security- and privacy-related issues.

"In retrospect, it's naïve to think you can decentralize something ... and assume third parties will do well without any monitoring," Rolfs says.

Staff at the new office within the health department will tackle shortcomings in privacy and security that were discovered after the 2012 breach, Rolfs says. The new office will also help with ongoing issues, such as HIPAA Omnibus Rule compliance.

"Our focus in the office is guided by our internal assessment and the audit done by Deloitte & Touche," Rolfs says. The health department hired the firm to conduct the analysis after the March 2012 incident.

The key areas of weakness highlighted by the analysis that are now being addressed include:

Moving forward, the department will need to better balance creativity and risk, he says. "We don't want to put molasses in the gears ... but we've learned that the world is a dangerous place."

Breach Incidents

The massive March 2012 breach incident involved Eastern Europeans hackers gaining access to a Utah state server managed by the Department of Technology Services. The breach exposed health department data on Medicaid clients and Children's Health Insurance Plan recipients. It also exposed data on others because providers often check whether their patients are eligible for state programs by entering information about them into the health department system's database.

Of those affected by the incident, 280,000 individuals had their Social Security numbers breached.

In the aftermath of that breach, the department learned that closer attention needs to be paid to change management during the entire life cycle of an IT system, Rolfs says. "We learned that over the life of a data system, during times of change, you have to have controls in place so that you don't lose sight of issues that crop up that could give you problems down the road."